Last week I congratulated Spanish National Police for the fantastic job done that took down a cybercrime gang that was using the known “police virus”, but I already pointed out that this was not going to be the end of this threat, as most likely there were a number of different gangs using the same kind of attacks.
I talked about different evidences that indicated this fact: different techniques within the malware that were not used anymore suddenly appear again (encription of files in the infected computers, for example), how to perform the same actions (like showing the fake police warning screen) were performed in completely different ways, showing that they were different projects, or how we are still seeing new attacks performed on a daily basis.
Anyway I decided to pull the thread and look for some figures to see if they are coherent with the previously described evidences. In most of the cases, computers get infected via the infamous “exploit kits”, tools used by cybercriminals to install different malware just visiting a compromised web site without user intervention. To achieve this, exploit kits use different security holes in software installed in the computer, most of them based on Java or Adobe, as this is very popular software with hundreds of millions of users and with -sadly- many security holes. To make it worst, many users do not bother updating that software, which is like having an open door in your computer with a big sign saying “please infect me”. In short: infecting computers is child’s play in many cases.
This is why some months ago we deployed a new technology in Panda Cloud Antivirus that allows to stop infection attempts that try to use this kind of vulnerabilities (even when it is an unknown vulnerability) and furthermore it sends information to our cloud with data of the malware file that was trying to infect the system.
Out of all the data, I have extracted a couple of different families that belong to the police virus to see how many infections have we stopped since December 2012 until mid February 2013. In other words, we are talking about Panda Cloud Antivirus users that while on the Internet were attacked with an exploit they had no protection for (his software wasn’t updated, most of them Java related) and which aim was to infect them with any of these particular 2 families of the police virus.
The Russian head of the cybercriminal gang was arrested in Dubai last December. If this was really the only gang behind these attacks, as we have seen in some media, the number should have dropped considerably. However, this is the result:
As we can see, the number of blocked infections is not going down, it has increased by 2! This is a proof that shows how we will have to deal with this police virus for a long time, war is not over yet (as usual )
These 2 families, as well as many others, are detected by Panda with the name Trj/Ransom.AB. If you have been already infected and need some help, our Technical Support team have the following instructions that work really well to solve all your problems.
Finally, some advices to avoid becoming a victim of these cybercriminal gangs:
- Update. All installed software. From the operating system to any other software you have in your computer. Don’t be lazy, it is worth it
- Uninstall any Java plugin in the browser. You don’t need it and you get rid of a HUGE risk. Not only this, unless you need Java to run some local application in your computer, remove it completely. I did this long time ago. An ounce of prevention is worth a pound of cure.
Today, we have some important news to share with you. Our friends in the Technological Investigation Brigade of Spain’s National Police, together with Europol and Interpol, have dismantled the cyber-crime ring responsible for the “Police Virus”. According to the news release published by Spain’s Ministry of Home Affairs, the police have arrested ten members of the computer hacking group, responsible for taking in around 1 million euros per year from victims of their scams. The arrested people include six Russians, two Ukranians and two Georgians, all of them living in Spain.
The head of the gang –a citizen of Russian origin – was also arrested in the operation. Oddly enough, and despite his origin, he was arrested in Dubai while on vacation, and awaits extradition to Spain. The operation remains open and more arrests could be forthcoming.
In any event, and before we all start celebrating, it must be said that in our opinion, based on our research of the Police Virus, there is more than one group behind the attacks. We’ve reached this conclusion after having studied multiple variants of this malware over time and having detected numerous striking differences among them.
Here on this blog we have posted several reports on the Police Virus and its evolution over time. This evolution is absolutely normal and it doesn’t necessarily mean that there are various teams behind the attacks, as it is quite normal for cyber-criminals to try different techniques to infect as many people as possible.
However, there is other evidence to the contrary: We saw how certain techniques that had apparently been abandoned (like the encryption of files on the victim’s computer) were suddenly put to use again; or how different variants used completely different techniques to achieve the same results (display a fake police warning on screen). All the evidence seems to indicate that we are dealing with different projects.
This wouldn’t be too surprising after all. If you analyze the situation from a purely commercial point of view, it would be something like this: someone comes up with a money-making idea, and others copy it quickly to get the same results. It happens all the time. In this particular case, it seems that there are different gangs ‘in the same line of business’.
Another clear evidence of this is the fact that the attacks keep repeating, even at this very minute: There are new Police Virus infections asking for their €100 fine. Here are a couple of screenshots of two new variants we have detected a couple of minutes ago as I was typing these lines:
Anyway, this is still good news for everyone: another cyber-crime ring has been dismantled, and law enforcement agencies around the world keep making progress towards defeating the cyber threat.
I do not want to bore you to death, just a few tips on the topic
- Do not run attached files that come from unknown sources. Stay on alert for files that claim to be Valentine Day’s greeting cards, romantic videos, etc.
- Do not open emails or messages received on social networks from unknown senders.
- Do not click any links included in email messages, even though they may come from reliable sources. It is better to type the URL directly in the browser. This rule applies to messages received through any mail client, as well as those in Facebook, Twitter, or other social networks or messaging applications, etc. If you do click on any such links, take a close look at the page you arrive at and if you don’t recognize it, close your browser.
- Even if the page seems legitimate, but asks you to download something, you should be suspicious and don’t accept the download. If you download and install any type of executable file and you begin to see unusual messages on your computer, you have likely been infected with malware.
- If you are making any purchases online, type the address of the store in the browser, rather than going through any links that have been sent to you. Only buy online from sites that have a solid reputation and offer secure transactions, encrypting all information that is entered in the page.
- Do not use shared or public computers, or an unsecured WiFi connection, for making transactions or operations that require you to enter passwords or other personal details.
- Have an effective security solution installed, capable of detecting both known and new malware strains.
Today we are publishing the latest PandaLabs Annual Report, covering the major security news happened during 2012, from mobile malware to cyber-war, covering all major events in different areas such as social netwoks.
We cover also the security trends for 2013, as well as some of the main figures related to malware:
- 27 million new malware strains found in 2012, at an average of 74,000 new samples per day.
- Three out of every four malware infections were caused by Trojans.
- China, South Korea and Taiwan are the world’s most infected countries.
The full report is available here.
To no wonders, the Blackhole Exploit Kit is still trying to infect users. One of the techniques commonly used is to send the victim an email from for example Facebook, Linkedin, Twitter, …. Asking to click on a link.
We’ll take a small peek at those tactics. We received the following email:
You have disabled your Facebook account. You can restore your account at any moment by logging into Facebook using your old login email address and password. Subsequently you will be able to use the site in usual way.
The Facebook Team
Obviously, Facebook didn’t disable your account at all. There are some factors to easily determine this email is fake:
- The ‘From’ field says it’s from “Facebook”, however, the sender is clearly ‘firstname.lastname@example.org’.
- Have you disabled your account? If not, then there’s no reason to receive this mail.
- The subject and the content of the email do not match.
- Hovering over the links in the email reveals the real URL, which are not Facebook URLs.
When clicking on any of the links, you are presented (after several redirects) with the Blackhole Exploit Kit (aka BH EK). It tries to load a Java exploit on the machine by firstly detecting which plugin and Java version you are using:
The payload? Probably ransomware or a Banker Trojan.
Use the WOT add-on to check on the status of a website.
Use your common sense and ask yourself the proper questions (see below).
As usual with this kind of emails, be alerted and always ask yourself the proper questions:
- Why did this get in my Unwanted Email or Spam folder if I normally get Facebook mails in my normal Inbox?
- Why would Facebook send me this when my account isn’t disabled at all?
- Why are those links not pointing to Facebook websites?
- Why is the sender not from Facebook itself? What can I see in the headers?
Use your common sense, update your 3d-party applications as well as Windows, and use a decent antimalware and antivirus product, like Panda Cloud Antivirus free.
Author: Bart Parys
As the old saying goes, “All that glitters is not gold”. We live in a time of information abundance, overloaded with eye-catching news stories and links received via Twitter, Facebook, email, WhatsApp, LinkedIn and any other social networking site you may be on. The problem is that very often that information is nothing more than ‘noise’.
We’ve seen it before: Warnings claiming that Messenger is closing down (although this has turned out to be true ), users can switch the blue color of their Facebook profiles by clicking a link, Twitter will become a paid-by-users service… Normally, these messages are nothing but harmless hoaxes, but sometimes they can have serious consequences.
One of the hottest topics lately has been the fragile health of Venezuelan President Hugo Chavez. In the rush to be first, the news media sometimes reports incorrect information or make blatant mistakes, as happened this week with Spain’s leading newspaper El País, which published a phony picture of President Hugo Chavez in his hospital bed. If such a prestigious newspaper as El País falls victim to a deception, just imagine what can happen to the rest of us, humble Internet users exposed to tons and tons of information and links we sometimes click without even thinking about it…
An email message purportedly containing a photo of Hugo Chavez. One link. One click. One Trojan. One infection. A massive infection of your company’s network. This is more common than you may think.
Remember when Steve Jobs passed away? Just a few hours after his death, a group of scammers had created a Facebook page called “R.I.P. Steve Jobs” which amassed more than 90,000 fans in just a few hours. The page contained a malicious URL and a text claiming that 50 free iPads were being given away ‘in memory of Steve Jobs’. However, to participate in the drawing, users were asked to enter personal details such as their name, phone number, email address, etc.
Another notorious scam, which affected a large number of Internet users, involved a supposed sex tape of Katy Perry and Russell Brand used to spread malware via Facebook at the beginning of the year 2012. Victims received the following message on their Facebook walls:
If the user clicked the link, they were taken to a fake Facebook page where they were invited to download a plug-in to watch the video. The plug-in, however, was designed to post the scam to the victims’ friends’ pages and take them to a typical scam site where they were asked to enter their phone numbers in order to send them unwanted premium rate text messages.
These are just a couple of examples of Internet scams preying on users’ curiosity. Actually, this is one of cyber-criminals’ favorite ways to spread infections. And I am pretty sure it won’t be long before President Chavez is used as bait to distribute malware.
PandaLabs offers users tips on how to avoid falling victim to this type of scam:
- Be wary of websites or messages offering sensational videos or unusual stories.
- Before you click on a link sent by one of your contacts, make sure it has been intentionally sent by your friend and it is not the result of a massive scam.
- Don’t accept friend requests from people you don’t know. This will help keep your privacy safe.
- Always keep your computer’s operating system and Web browsers up to date, and make sure you have an up-to-date antivirus solution installed.
Last Friday my friend Bob McMillan wrote an article on Wired (Google Declares War on the Password) which talks about a research paper Google will publish this month. I don’t know how many times we have mentioned how important it is to choose a good set of passwords, at least 1,000 times We have written about that in this very same blog, as well as in our tech support blog La Piazza.
However, most users are still using the same password for all online services (Facebook, Twitter, PayPal, eBay, Amazon, Google, etc.) and even worst, that password is created either from personal information (as if I used “luiscorrons” as password) or really simple ones so they can be remembered easily (“12345″, “admin”, “password”, etc.)
Probably, as a reader of this blog you are concerned about security and you have different passwords for each service, without personal information so they cannot be guessed, etc. Now the question is: even if we use different and strong passwords, are we safe? And let’s be honest: no, we are not safe. A simple password cannot guarantee our digital life safety. That’s why 2 factor authentication has been in place for a few years. At this point it is mandatory to read what happened to Mat Hogan to find out what are we risking, and how all our digital life can be compromised or even erased. And even more importantly, how he describes that if he had used Google 2 factor authentication the attack on him would have probably failed. However, this doesn’t mean that passwords are useless. It is the very first layer of security, and as such it is important, and currently it is the only way to authenticate in most places.
At this point you may think on the 2 factor authentication as the holy grail. But it is not. Of course it improves security, but even if we use a second device for this (our smartphone, for example) we have already seen attacks that can circumvent these measures, being banking Trojans one of the best examples. But this doesn’t mean we don’t have to use it, only that we have to be aware of these attacks. Other 2 factor authentication approaches involve the use of dedicated hardware, such as the RSA SecurID. And I am really looking forward to that research paper from Google, which will propose new ways of improving user validation.
But what’s this all about? At the end of the day, what we are doing is identifying ourselves, showing proof that I am who I claim to be when I access my Facebook account. Another approach could involve biometric authentication, which could avoid having to use complicated passwords. And we’ll probably get there, in fact a number of smarthones can already recognize his owner using this kind of techniques.
However, remember that there is no perfect system, and whatever we use, it has to be translated into binary code. What if someone is able to steal that information? We can change a password, but changing our fingerprints might be a bit more difficult. But don’t panic yet, biometric authentication doesn’t mean that you have to scan your fingerprint and have it sent to Facebook or whatever site we want to access to, once scanned. In the same way that the best approach for passwords is that one where the website (or whatever service you are using) does not store your password, but only salted hashes of it, we *shouldn’t* see anyone sending your biometric information.
Let’s see what this new proposal from Google is, and we’ll see if it can help protect our identity.
Last week a new Java 0-Day was spotted in the wild . In short, anyone with Java installed and enabled in his browser could be easily infected while visiting any website that was using the exploit to take advantage of the latest Java’s security hole.
What can we do to protect ourselves? I give you 2 different options:
1.- Oracle has released a patch, update your Java to avoid cybercriminals infecting your computer using this exploit.
2.-Disable Java. Millions of users have Java installed and they never use it. If that is your case, you should uninstall it. If you have doubts, disable it, and once you verify that all your programs and web sites are working smoothly uninstall it. To be sure it is not longer in your computer, visit this web where you should get the following message:
And of course don’t click the button below the message or it will be installed again
Update 22-01-2012: our Panda Cloud Antivirus team has been studying how this vulnerability works and it turns out that we were proactively protecting against it, you can read the details in their blog.